Microsoft’s tweaks to Skype could facilitate wiretapping (Updated)

Share This article

VoIP, the voice-over-IP communications technology that is slowly making POTS landlines obsolete. SIP providers, VoIP applications, and messaging platforms all utilize VoIP to provide voice calling on PCs, phones, and mobile devices. One of the most popular VoIP applications is the Skype messaging service. Skype uses a peer-to-peer network of internet nodes to route voice and/or video calls between users around the world. Especially in the case of consumer-grade VoIP, it is significantly cheaper than a traditional landline for voice calls, and it can potentially deliver better sound quality. Another area where VoIP services like Skype excel is as a communication medium for criminals. Thanks to the fast pace of technology and the use of a peer-to-peer connection, Skype is a decent platform to communicate without fear of others listening in, to an extent.

Of course, Skype is not a fully decentralized service because it uses so-called “supernodes.” The supernodes are basically servers that both the caller and recipient can connect to, and they use these mutually-known servers to make the initial introduction between the two clients. Reportedly, Microsoft is re-engineering these supernodes to make it easier for law enforcement to monitor calls by allowing the supernodes to not only make the introduction but to actually route the voice data of the calls as well. In this way, the actual voice data would pass through the monitored servers and the call is no longer secure. It is essentially a man-in-the-middle attack, and it is made all the easier because Microsoft -– who owns Skype and knows the keys used for the service’s encryption -– is helping.

As far as what this means for you, if you are not doing anything malicious then you don’t need to worry too much. Patriot Act exceptions aside, you would have to be acting suspiciously enough for a judge to grant a warrant before your conversations could be snooped. With that said, it is a bit disconcerting that it is possible to violate your privacy, especially when you aren’t doing anything to warrant such potential invasions.

Your best bet for securing your voice communications for the simple sake of privacy is to set up your own VoIP “softphone” with open source SIP software, and use end-to-end encryption and keys that you control access to. Such encryption includes ZRTP for the secure key exchange and SRTP for securing the voice (data) stream between you and the recipient. SRTP in particular is interesting because it uses, by default, a 128-bit key derived from a master key — exchanged using the ZRTP (or similar) protocol — that is further salted with a 112-bit key (which helps make the encryption key harder to brute force by making it more computationally expensive to do so).

The move by Microsoft is somewhat disheartening, but at the end of the day it will not affect the company’s userbase much. Yes, your conversations are potentially less private and secure, but Skype remains one of the easiest (and free) VoIP clients to use. Skype is now essentially equivalent to other traditional forms of communications like landlines and cellphones that are already capable of being tapped. From the perspective that it is a necessary evil to have to monitor and find malicious people, it is not a bad thing for Microsoft to do so long as it conforms to legal procedures and is not abused. That last part is, I think, what worries a lot of privacy conscious people, and if you do value security over convenience there are definitely better options out there than Skype.

Update – 3:33pm – Skype has contacted us to note that the changes were made in order to “improve the Skype user experience”, not to open the doors to tapping.

As part of our ongoing commitment to continually improve the Skype user experience, we developed supernodes which can be located on dedicated servers within secure datacenters. This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes). We believe this approach has immediate performance, scalability and availability benefits for the hundreds of millions of users that make up the Skype community.

And in response to that claim that the source code was leaked, Skype’s Chief Security Office, Adrian Asher, wrote:

Skype takes all necessary steps to prevent/defeat nefarious attempts to subvert the Skype experience. Skype takes its users’ safety and security seriously and we work tirelessly to ensure each individual has the best possible experience.

Of course a government wiretap is not something a corporation (or most people) would consider to be “nefarious”, but Skype has said to us that the changes were not made to help law enforcement.

Tagged In

Post a Comment

warcaster

I would’ve shared your article if not for sooo much Microsoft ass-kissing at the end.

http://twitter.com/timverry Tim Verry

heh, but it is one of the easier VOIP clients to use, I’ve started to use Gmail calling and Google Hangouts primarily but my family and friends all have Skype on their PCs or smartphones and use that; it’s not a complicated interface or setup whereas rolling your own definitely is.

I am going to try out some open source software I came across today though, just to see what that is like to use. At the end part you are referring to, it sort of came down to convenience vs security (because a lot of the process is hidden behind the simplified UI) which is why I said that, you know, it’s one of the easier clients to use but you don’t have full control. It wasn’t intended as ass-kissing, I apologize if it came across that way :). There’s nothing wrong with not using Skype and liking other software, esp. if you are rolling your own custom setup – that’s awesome and by all means geek out on it! :D And on the flip side of that, there’s nothing wrong with appreciating that it’s simple enough for darn near anyone to use and talk to family on.

Hehe, I dunno, please excuse me while I try to find an IV of coffee :). Thanks for commenting warcaster.

hotmusubi

“
The move by Microsoft is somewhat disheartening, but at the end of the day it will not effect the company’s userbase much.”

Wrong use of effect.

Also agree with the ass-kissing. Skype used to provide 256-bit end-to-end encryption, and yes some people would use it for criminal activity, but it was also a nice security blanket for perfectly legal uses. Introducing a backdoor introduces vulnerabilities and increases the chances that a criminal may be able to monitor our calls now. Given that, this is still an issue of privacy and trust.

So, to be fair to MSFT & Skype, I’ve expected this move since the purchase, as I believe it’s simply in line with following US laws. I should have phrased myself better, as Skype shouldn’t necessarily lose our trust, but rather must be viewed as more susceptible to privacy concerns. To each his own on whether it will now meet their use case scenarios. For the occasional video chat with my rare Gmail-less friends, it is still my first choice. It has been an important and pioneering product, and I’m sad to see it fall under Microsoft’s wing since it may slow or damage the development of it for competing platforms, such as Android and MacOS (where it’s lagged behind the PC version for years, anyway).

http://twitter.com/timverry Tim Verry

Yeah, that’s sort of my line of thought as well. Hypothetically, even if they definitely were wiretapping calls, it’s not necessarily a “bad” (unlawful or immoral) thing so long as it’s through proper legal channels and such. (Though, to be honest, I’m not sure how that would work with regards to wiretapping calls where one or more parties are not US citizens but live in another country?). It was more of a it may be possible and something to know, just like smartphone and landline providers will work with law enforcement. Skype is convenient for me as a lot of my family has it already installed and ready to answer a call but some people might want to have more control over the encryption and such used, nothing wrong with either option and just depends on the person I suppose.

stompsfrogs

This article was dictated over Skype and Microsoft stepped in to make some editorial changes, right?

http://twitter.com/timverry Tim Verry

I kinda want to hit the like button on this :P But nah it wasn’t, I used google products and an open source text editor called FocusWriter to type it ;).

stompsfrogs

Funny you just replied to me, as I just read this http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/
Totally interesting in light of Microsoft’s recent move.

http://twitter.com/timverry Tim Verry

hehe, I never saw that article when it was pub’d, nice find :P 2009 feels like so long ago.. this year is going by too darn fast.

http://www.facebook.com/kristine.theriault Kristine Theriault

Skype works well but I find myself using Google Hangout more often. I use Bitrix24 as my business intranet, but sometimes I need video chat. With google I can add multiple employees for the video conference, then share files through my Bitrix24 software.

http://twitter.com/timverry Tim Verry

hmm I’ve never heard of that Bitrix24 software before, but it sounds sort of like Yammer? Heck, if it’s even half as buggy and actually notifies me of replies, I might try it out hehe.

http://www.facebook.com/kristine.theriault Kristine Theriault

Yeah it’s like Yammer but works pretty flawless, check it out if you have time, you will like it.

jgm

This article offered precisely zero evidence for the claim in the title, only saying “reportedly”, which is meaningless. If Microsoft was making changes, they wouldn’t be using Linux servers, which means the software changes were in the works before Microsoft purchased Skype. That makes the whole premise unfounded.

http://www.facebook.com/profile.php?id=1223563048 Angel Ham

Damn, I guess no more Skype porno chat.

Mike Stanley

Since when do they need a warrant? It isn’t telephone, it is data. It will be identical to the current web portal used to gather cell-phone data, and an additional revenue source for Microsoft as it is for the telcos. I’m going back to encrypted email.

http://profiles.google.com/khimera2000 Jonathan Freeman

The difference is your going after an individual, and you still have privacy rights to be concerned with. Despite what the news might depict police do still have to worry about Privacy concerns. Where not all public figures.

Think about the use of web Portals, they can give you a good idea on whats out there. For the most part the information is collected, but when it is used the identifiers for the individual are removed. In this way user privacy is protected, and Corporations can pull the data they need.

Unless your talking about the phishing scams, trojan, and malicious code thats out there. In which case its a no brainer that data taken in this way has individual user information. But what does that have to do with the policies of the Web Portal?

Mike Stanley

You understand that the Portal I mention is used by Law Enforcement to access all of your cell-phone data without a warrant. I understand that the policy is to provide all data for a fee of approximately $2. No muss, no fuss, no warrant, no notification to the cell-phone user.

http://twitter.com/aswath Aswath Rao

Skype does not have to do this to facilitate wiretapping. When a client signsin, it gets a list of candidate Supernodes for it to try. So when a targetted client signs in, its list could include only those Supernodes owned by Skype. Second and more important point is that intercepting voice is not a simple matter. Not just because for intercepted calls, voice need to be routed through relay nodes. Relay nodes should be used for ALL calls. Otherwise, a target can easily infer he is being intercepted or not. To summarize, Skype COULD intercept call signal information even before this change and even with this change, they can not easily intercept call content.

What is puzzling is why Skype is not making this statement?

sec_tech

I hope you weren’t an English major.

Anyway, you call what they are potentially doing a man in the middle attack. If what they’re doing is legal and/or sanctioned by Microsoft, how is that an attack? Who is the attacker?

Bob_Robert

Of course Microsoft has to rebuild Skype to make it wiretap friendly. They’re an American company, subject to American law as well as American government extortion. So while all traffic on the backbones was already being mirrored to the NSA, now they have the keys so that anything that has ever been said can be decrypted and studied for “key words”, at least.

http://twitter.com/johaster Prof. dr. J. Sterk

Should we avoid US companies in the future?

Bob_Robert

Just be aware that an American company has to follow American laws. In my opinion, American laws are seriously messed up.

Webmaster Good

Microsoft at it again – fixing things that don’t need fixing, and feeding us some b.s. about doing it for the user experience. Most people i know wouldn’t touch the new Lumia with a barge pole and I’ve been reading how they are collecting royalties on Android phones. They even tried to prevent city of Munich to switch to Linux. How sickening! I’ve got £3 left on my Skype account and thinking “you know what, I’m out. What’s a Skype alternative?”

It’s naive to suggest that “if you’re not doing anything suspicious”, you don’t have much to worry about from intrusive surveillance. Martin Luther King was under intense government scrutiny, for example, for the “crime” of organizing civil disobedience against unjust racist laws. Governments don’t necessarily wield their overwhelming power sanely or wisely—not to mention legally or morally.

http://twitter.com/johaster Prof. dr. J. Sterk

Indeed many are incredibly naive in this respect. What are the chances Americans will live under autocratic government in 20 years? Read the ‘Patriot’ act for enlightenment!

http://twitter.com/johaster Prof. dr. J. Sterk

The net future effect is that smart criminals set up their own VoIP “softphone” and law-abiding citizens that aren’t to the liking of US plutocracy are being bugged via Skype.

http://twitter.com/johaster Prof. dr. J. Sterk

For European citizens an American cloud-computing provider is already considered a safety risk, because the US government has access to their data via the Patriot Act which does not respect their civil rights. Thus a safe competitor to Skype, e.g. located in Island, would be welcomed particularly given current US political developments.

http://twitter.com/bufbarnaby Joe

All they would hear is me making fun of Obama. No biggie.

http://twitter.com/NoelDickover NoelDickover

What’s the impact to this outside the US. Say, if democracy activists in an authoritarian regime wanted to use Skype, does this purported change allow that government to force Skype to hand over information on specific callers?

preilly2

Tim, there’s a new NBC News story about covert NYPD operations in which officers went out of state as far away as Louisiana to ‘gather information’ on, among other things, so-called liberal advocacy groups. In other words, these weren’t even the feds, and they’re out there spying on people who were simply exercising their constitutional rights of free speech and free assembly. We ALL have a lot to fear from out-of-control surveillance in this country. Please don’t kid yourself otherwise.

http://www.facebook.com/people/Durt-Bagg/1028178789 Durt Bagg

Skype to landline or cell suks, Skype to Skype is OK most of the time… can’t see using it much anyway.

Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2015 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved. ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, LLC. is prohibited.